Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

Containerd pre-creates userns and netns before calling runc, which
results in the current code not working when SELinux is enabled,
resulting in the following error:

> runc create failed: unable to start container process: error during
container init: error mounting "mqueue" to rootfs at "/dev/mqueue":
setxattr /path/to/rootfs/dev/mqueue: operation not permitted

The solution is to become root in the user namespace right after
we join it.

Fixes #4466.

Co-authored-by: Wei Fu <fuweid89@gmail.com>
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit c78f3f2)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 34a9285)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

[1.2] libct/nsenter: become root after joining userns

Since Go 1.19, the same functionality is there in os/exec package.
As we require go 1.22 now, there's no need to have this.

This basically reverts commit 9258eac ("libct/start: use execabs for
newuidmap lookup").

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit eb2ff52)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>

…5ad667ca900b2e57e7d698e3484-to-1.2

[1.2] libct: rm x/sys/execabs usage

Because we have the overlay solution, we can drop runc-dmz binary
solution since it has too many limitations.

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 871057d)
Signed-off-by: lifubang <lifubang@acmcoder.com>

[1.2] drop runc-dmz solution according to overlay solution

Those are taken from commit bc20cb4.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

[1.2] CHANGELOG: add (forward-port) v1.1.15 changes

Improve readability of ConvertMemorySwapToCgroupV2Value by switching
from a bunch of if statements to a switch, and adding a comment
describing each case.

No functional change.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit cb9f3d6)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

This allows to do

	runc update $ID --memory=-1 --memory-swap=$VAL

for cgroup v2, i.e. set memory to unlimited and swap to a specific
value.

This was not possible because ConvertMemorySwapToCgroupV2Value rejected
memory=-1 ("unlimited"). In a hindsight, it was a mistake, because if
memory limit is unlimited, we should treat memory+swap limit as just swap
limit.

Revise the unit test; add description to each case.

Fixes: c86be8a ("cgroupv2: fix setting MemorySwap")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 732806e)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

While this is used by the majority of upper container runtimes, it was
not needed for runc itself. Since commit 515f09f runc uses overlay,
too, so let's add a check for this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit ee1bced)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

There is a typo in the comment (ClonedBinary should be CloneBinary), and
the code has changed a bit since then, and it makes more sense to refer
to CloneSelfExe now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 8cc7375)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

This was added by commit f2f1621 when runc-dmz was still a thing.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 5586d7c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

[1.2] runc update: fix updating swap for cgroup v2

[1.2] Post overlay addition and dmz removal nits

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>